In February, I applauded Microsoft for taking a decisive step in the fight against macro-malware. Here is part of what I wrote:
…more than 25 years after first distributing the Concept virus on CD-ROM and triggering the whole problem, Microsoft has done something that might be more effective in stopping the spread of macro malware.
Microsoft has announced that it is changing the default behavior of Office applications so that they block macros in files from the Internet.
Additionally, it won’t give users a single click to allow macros to run, defeating many of the social engineering tricks commonly used by cybercriminals.
According to Microsoft, its products would no longer display a yellow warning stripe at the top of documents containing macros that – with clever social engineering – could trick unsuspecting users into clicking an “Enable Content” button and allowing malicious macros from running.
Instead, the new design would see a redesign (no more yellow stripe. hello red!) without an oh-so-tempting-and-oh-so-dangerous “Activate Content” button.
SECURITY RISK: Microsoft has blocked macro execution because the source of this file is untrusted.
Unfortunately, things didn’t go as smoothly as Microsoft (and, indeed, the rest of us) might have hoped:
Update July 6, 2022: Based on feedback, we are reverting this change to the current channel. We appreciate the feedback we’ve received so far and are working to improve this experience. We will provide another update when we are ready to post again on the current channel. Thanks.
In other words, Microsoft canceled its plans. Which is good news for hackers who can continue to rely on the years-old technique of hiding malicious macros in Office documents, at least for now.
Hopefully Microsoft fixes all the issues that have arisen with its planned macro block and soon has another shot at killing such a common attack vector.
Did you find this article interesting ? Follow Graham Cluley on Twitter to learn more about the exclusive content we publish.